States at Odds With Feds on Data Breach Proposals

McAllen, Texas, police Chief Victor Rodriguez talks to media next to dozens of fraudulent credit cards that were confiscated in relation to a data breach at Target. Companies often have to comply with a variety of laws in multiple states when a data breach occurs. (AP)

As Americans’ personal information continues to move online, everything from medical records to mothers’ maiden names, Social Security numbers and fingerprints are increasingly up for grabs. And the states and the federal government are at odds on how to respond.

Since California first began enforcing data breach reporting requirements in 2003, 46 other states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have implemented varying degrees of regulation, including requirements to provide free credit monitoring to victims, quickly notify consumers of a breach and tell state attorneys general or other agencies about compromised records. States are toughening their laws by broadening the definition of “personal data,” requiring timelier reporting and expanding the number of people or agencies companies must notify of a breach.

In contrast, Congress is just now coalescing around federal standards. Pending legislation would preempt the collage of state laws and enforce a definition of personal information that is narrower than what many states use.

Caught in the middle are businesses, which would prefer a single federal standard to the different state requirements, and consumers who must scramble to protect their bank accounts, credit cards and credit worthiness from thieves who steal their identities to attack their assets.

Scott Talbott, a senior vice president of government affairs with the Electronic Transactions Association, which represents banks, companies that make credit card swipe terminals and online payment companies, said his organization welcomes a tough standard, but that continuing to comply with so many state regulations is complicated.

Without a federal standard, reporting breaches will continue to be a cumbersome and expensive task, he said.

“Letting consumers know what to expect with one law we think is preferable, is more efficient and works better for all parties involved in the current system,” Talbott said.

David Thaw an assistant professor of law and information services at the University of Pittsburgh, said the proposed federal Data Security and Breach Notification Act of 2015 is just a reporting law—one that is less stringent than many state laws. What’s really needed, Thaw said, is a broad federal law that would require companies to have better cybersecurity to protect consumers’ information and privacy from breaches.

He said the patchwork of state laws more effectively protects consumers, and that complying with them is not as hard as companies say it is.

“I am 100 percent certain I could write a computer program which would take all of the inputs from a given data breach and spit out all the notification letters,” he said. “It’s not hard. There are very good attorneys out there who can put out all the notifications for all the jurisdictions and get it right and get it done.”

Breach Reporting Across the States

With hacking attempts numbering into the thousands each day, hundreds of U.S. data breaches occur annually. In the last two years, retail giants such as Target, Home Depot and eBay have been hacked, exposing the personal information of millions of customers. Health insurance companies such as Anthem, which saw 80 million records compromised during a breach in January, have also become targets of thieves who use medical data to cobble together enough information to defraud people.

According to the Identify Theft Resource Center (ITRC), there have been more than 5,000 breaches in the United States affecting more than 780 million records containing personal information since the center began tracking them in 2005. So far this year there have been 348 breaches which compromised more than 100 million records, according to ITRC.

At least 32 states considered legislation this year that would establish or expand data breach policies, according to the National Conference of State Legislatures. The proposals include expanding the kinds of personal information that if lost or stolen trigger a report to consumers, requiring companies to report breaches to state attorneys general and extending data protections to students’ information.

In May, Illinois lawmakers updated the state’s 2005 Personal Information Protection Act to require companies to report breaches to the attorney general’s office. The updated law expands the definition of “personal information” to include records of where a customer has been, online browsing details and purchase histories.

Proponents say that requiring companies and organizations to notify an attorney general of a breach guarantees that consumers will receive information about their compromised data and that breaches can be appropriately investigated.

The bill is one of the most comprehensive in the nation, said Democratic Illinois Attorney General Lisa Madigan. Republican Gov. Bruce Rauner has not said whether he will sign it.

“Identity theft is an enormous problem,” Madigan said. “It’s sometimes very difficult to identify, very difficult to clean up, and it can have an enormous impact on somebody’s ability to function in our world.”

Twenty-one states and Puerto Rico require companies to report data breaches to the attorney general’s office or another state agency. Three more states—Montana North Dakota and Washington—have similar laws that will take effect by the end of the year.

In Connecticut, considered to be at the forefront of data breach policy, companies have been required to report their breaches to the attorney general since 2012. Connecticut’s Democratic attorney general, George Jepsen, said that the law has forced many companies to disclose breaches they otherwise wouldn’t have reported. His office now receives about 400 breach notifications a year.

The vast majority of the breaches are small and not harmful, Jepsen said. But Connecticut residents are better protected, he said, because his office has the power to investigate the breaches and pursue legal action if companies don’t do what they are supposed to do.

“If Connecticut has 400 breaches, I guarantee you there’s no way the feds are going to be looking at all 400,” Jepsen said. “There continues to be an important role for states’ attorneys general. We’ve got the boots on the ground to do the work.”

The ability of state attorneys general to investigate and enforce data breach laws holds companies accountable to consumers whose data is lost or stolen, said Thaw, the University of Pittsburgh professor.

“State attorneys general bring a lot more enforcement resources to bear,” Thaw said. “In this case you have 47 different entities, any of which for a large scale breach, can enforce. That’s a pretty big threat to make sure you report a breach.”

A Congressional Standard

Jason Brewer, vice president for communications and advocacy at the Retail Industry Leaders Association said his organization favors a federal standard that would preempt state laws.

Reacting to a breach often involves setting up and staffing call centers, communicating with Internet service providers to ensure that email notifications aren’t caught in spam filters, and then identifying and reaching out to people affected by a breach, Brewer said.

“Part of the challenge is there’s a lot more that goes into notifying than hitting send on an email,” he said.

The average cost of a data breach to a U.S. company in 2015 is $6.5 million, according to a study conducted by the Ponemon Institute. The average cost per lost or stolen record is $217. Much of that cost — $143 — covers indirect costs such as lost customers. The remainder covers direct costs such as technology and legal fees.

Edward Marshall, a partner with the Atlanta-based law firm Arnall Golden Gregory LLP, represents payment card processers. He said a federal standard would streamline the reporting process and reduce the legal fees of companies that are often dealing not only with the cost of reporting a breach but also with fallout from shareholders and consumers.

“It is a very cumbersome process that I would argue takes away from where the emphasis should be placed [on fixing the breach],” Marshall said. “I’ve heard a lot of people say when you’ve become a victim of a breach, it becomes your full-time job for a year.”

For Eva Velasquez, president and CEO of the Identity Theft Resource Center, there are both pros and cons to a federal law.

Velasquez said a federal law could protect citizens in the three states – Alabama, New Mexico and South Dakota – without data breach reporting laws but could provide less protection to consumers in states with tougher laws.

About The Pew Charitable Trusts

The Pew Charitable Trusts is driven by the power of knowledge to solve today's most challenging problems. Pew applies a rigorous, analytical approach to improve public policy, inform the public and invigorate civic life.

Trust Magazine

Our quarterly news magazine. Every issue features articles on Pew’s work from across the organization.Read current issue ›